aplanas wrote:
A ring of trust was also what was hacked in the XZ project. In two years (what Jia Tan used in total) the normal contributor in OBS would join and quit the project several times.
How would that affect anything if we forced checks of package tarballs against upstream? Any backdoor introduced in the package tarball (that is not present upstream) would show up in a diff against upstream's and still get caught. If it is a patch (or multiple patches) we are talking about, I would argue it is more reasonable to expect reviewers to verify these (typically a handful, at most, of) plain text files as opposed to reviewing the who-knows-how-many files that comprise the source tarball. Let us not get into the thought-scape of "nothing works perfectly, so let us do nothing at all." Best wishes -- Atri